Security News

Mobile medical care firm DocGo confirmed it suffered a cyberattack after threat actors breached its systems and stole patient health data. DocGo is a healthcare provider that offers mobile health services, ambulance services, and remote monitoring for patients in thirty US states and across the United Kingdom.

BetterHelp has agreed to pay $7.8 million in a settlement agreement with the U.S. Federal Trade Commission over allegations of misusing and sharing consumer health data for advertising purposes. The data included included email addresses, IP addresses, answers from preliminary health questionnaire during sign-up process, which came with a promise of not disclosing personal health info outside limited purposes, like counseling services.

Non-profit healthcare service provider Group Health Cooperative of South Central Wisconsin has disclosed that a ransomware gang breached its network in January and stole documents containing the personal and medical information of over 500,000 individuals. "On February 9, 2024, during our investigation, we discovered indications that the attacker had copied some of GHC-SCW's data, which included protected health information. Our discovery was confirmed when the attacker, a foreign ransomware gang, contacted GHC-SCW claiming responsibility for the attack and stealing our data."

A New York law firm has agreed to pay $200,000 in penalties to the state because it failed to protect the private and electronic health information of approximately 114,000 patients. Heidell, Pittoni, Murphy and Bach represents New York City area hospitals in litigation and maintains sensitive private information from patients, including dates of birth, social security numbers, health insurance information, medical history, and/or health treatment information.

New York law firm Heidell, Pittoni, Murphy and Bach has agreed to pay $200,000 to settle a data-breach lawsuit related to the now-notorious Hafnium Microsoft Exchange attacks that siphoned sensitive data from victims around the world. New York Attorney General Letitia James, who brought the lawsuit against the lawyers, blamed HPMB's poor data security practices for the privacy breach.

Health data and other personal information of members of Congress and staff were stolen during a breach of servers run by DC Health Care Link and are now up for sale on the dark web. Szpindor called the incident "a significant data breach" that exposed the personal identifiable information of thousands of DC Health Link employees and warned the Representatives that their data may have been compromised.

The Federal Trade Commission has proposed to ban the online counseling service BetterHelp from sharing its customers' sensitive mental health data with advertising networks and marketers. A settlement between the FTC and BetterHelp also requires the company to pay $7.8 million as restitution to its users whose sensitive data has been shared with third parties such as Facebook and Snapchat.

As the NHS in England is set to launch a competition for a far-reaching patient data platform, a public consultation has said decisions about health data sharing should not be taken by politicians. A report by England's National Data Guardian, an independent watchdog for health data appointed by the Secretary of State for Health and Social Care, found that in citizen juries consulted on health data, "Very few jurors wanted decisions about the future of these initiatives to be taken by the minister or organization accountable for them. Most believed that an independent body of experts and lay people should assess the data sharing initiatives."

Kaiser Permanente, one of America's leading not-for-profit health plans and health care providers, has recently disclosed a data breach that exposed the health information of more than 69,000 individuals. Founded in 1945, Kaiser Permanente provides health care services to over 12.5 million members from 8 U.S. states and Washington, D.C. The company revealed in a notice published on its website that an attacker accessed an employee's email account containing patients' protected health information on April 5, 2022, without authorization.

A report of the European Union Agency for Cybersecurity explores how pseudonymization techniques can help increase the protection of health data. This is especially true since providing health services today implies an extended exchange of medical information and of health data among different healthcare service providers.